When the European Union’s new data privacy rules are implemented on May 25th, the way the web is regulated will change forever, and it’s not just a legal issue. After the lawyers, product designers are next in the compliance hot-seat.
You’re no dummy. You’ve known for a while now the European Union’s General Data Privacy Regulation becomes enforceable on May 25th. You know that whether based in Europe or not, if you do business with an EU company or have even one European citizen on your payroll, you’ve had to rejig how you store personal data, either compiled internally on your servers, or gathered from your company’s website, be it from customers, new-hire candidates, or employees. You’ve consulted your legal department and even retained outside counsel to assure that when the clock strikes midnight on May 24th – in GMT+1, of course – none of your company departments will be left hanging in the breeze.
So where do you start when compliance means working backwards?
And since you’ve got that sorted, the next step is to examine how GDPR compliance will affect your product design, because chances are you have a website, and we’ll lay down cash money it wasn’t designed with GDPR in mind. So where do you start when compliance means working backwards?
The keywords here are Explicit Consent, and there are a few steps you need to follow.
The first thing to consider is permission. While we’ve grown accustomed to Silicon Valley software asking to access our smartphone cameras, photos and address books – and for the most part, forking over this intellectual-property gold without a second thought – GDPR demands that for you, digital business master, when an individual uses your website, they are provided clear notice that their data is being gathered, and given the choice whether, or for how long, you can store their data – anything from an email or a phone number to more complex information you could feasibly sell to other parties. The keywords here are Explicit Consent, and there are a few steps you need to follow.
By now we are used to clicking away the cookies permission box like a fly at a picnic, so your first line of site adjustment can be as easy as altering your cookies pop-up to include a permissions box to store visitor/customer data. In GDPR terms, this is an active opt-in, and in addition to this, visitors must be informed, in the sense that if you’re redesigning your pop-ups, you must make it clear that personal information may be shared, for either commercial or analytical purposes, and provide a clear choice to opt-in, or not.
Unbundle Your Presentation
The presentation of these terms and conditions must also be unbundled, which means personal data information must be presented outside the usual terms and conditions you may already have in place, and the methods and third parties of how the information will be shared must be named. If a user consents to have their data shared and, say, in a few minutes, days, weeks or months changes their mind, it must be easy to withdraw from data sharing.
Create a Framework
If, by chance, you’re a new business building your website, you have the advantage of being able to take GDPR into account from the ground up, and you’ll be pleased to discover there’s been a privacy framework kicking around since the nineties, called Privacy by Design, though its true urgency is just starting to be appreciated.
If you’re found to be non-compliant after May 25th, fines can reach €20 million!
Even if you’re dabbing beads of relief off your brow because GDPR doesn’t specifically apply to you, if you’re found to be non-compliant after May 25th, fines can reach €20 million, or four percent of your yearly global gross, whichever is higher. Not fun. But security-wise, this is the way the web is going, and a bit of forward thinking now could save you several migraines later.